About Domain Controller Selection (domain_krb.properties file)

<

|

The domain_krb.properties file determines which domain controllers are used for directories that have DNS Service Location (SRV records) lookup enabled. It contains a list of domain controllers for each domain. The connector creates the file initially, and you must maintain it subsequently. The file overrides DNS Service Location (SRV) lookup.

The following types of directories have DNS Service Location lookup enabled:

Active Directory over LDAP with the This Directory supports DNS Service Location option selected

When you first create a directory that has DNS Service Location lookup enabled, a domain_krb.properties file is created automatically in the /usr/local/horizon/conf directory of the virtual machine and is auto-populated with domain controllers for each domain. To populate the file, the connector attempts to find domain controllers that are at the same site as the connector and selects two that are reachable and that respond the fastest.

When you create additional directories that have DNS Service Location enabled, or add new domains to an Integrated Windows Authentication directory, the new domains, and a list of domain controllers for them, are added to the file.

You can override the default selection at any time by editing the domain_krb.properties file. As a best practice, after you create a directory, view the domain_krb.properties file and verify that the domain controllers listed are the optimal ones for your configuration. For a global Active Directory deployment that has multiple domain controllers across different geographical locations, using a domain controller that is in close proximity to the connector ensures faster communication with Active Directory.

You must also update the file manually for any other changes. The following rules apply.

The domain_krb.properties file is created in the virtual machine that contains the connector. In a typical deployment, with no additional connectors deployed, the file is created in the VMware Identity Manager service virtual machine. If you are using an additional connector for the directory, the file is created in the connector virtual machine. A virtual machine can only have one domain_krb.properties file.

The file is created, and auto-populated with domain controllers for each domain, when you first create a directory that has DNS Service Location lookup enabled.

Domain controllers for each domain are listed in order of priority. To connect to Active Directory, the connector tries the first domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.

The file is updated only when you create a new directory that has DNS Service Location lookup enabled or when you add a domain to an Integrated Windows Authentication directory. The new domain and a list of domain controllers for it are added to the file.

Note that if an entry for a domain already exists in the file, it is not updated. For example, if you created a directory, then deleted it, the original domain entry remains in the file and is not updated.

The file is not updated automatically in any other scenario. For example, if you delete a directory, the domain entry is not deleted from the file.

If a domain controller listed in the file is not reachable, edit the file and remove it.

If you add or edit a domain entry manually, your changes will not be overwritten.

How Domain Controllers are Selected to Auto-Populate the domain_krb.properties File

To auto-populate the domain_krb.properties file, domain controllers are selected by first determining the subnet on which the connector resides (based on the IP address and netmask), then using the Active Directory configuration to identify the site of that subnet, getting the list of domain controllers for that site, filtering the list for the appropriate domain, and picking the two domain controllers that respond the fastest.

To detect the domain controllers that are the closest, VMware Identity Manager has the following requirements:

The subnet of the connector must be present in the Active Directory configuration, or a subnet must be specified in the runtime-config.properties file. See Overriding the Default Subnet Selection.

The subnet is used to determine the site.

The Active Directory configuration must be site aware.

If the subnet cannot be determined or if your Active Directory configuration is not site aware, DNS Service Location lookup is used to find domain controllers, and the file is populated with a few domain controllers that are reachable. Note that these domain controllers may not be at the same geographical location as the connector, which can result in delays or timeouts while communicating with Active Directory. In this case, edit the domain_krb.properties file manually and specify the correct domain controllers to use for each domain. See Editing the domain_krb.properties file.

The /usr/local/horizon/conf/domain_krb.properties file determines the domain controllers to use for directories that have DNS Service Location lookup enabled. You can edit the file at any time to modify the list of domain controllers for a domain, or to add or delete domain entries. Your changes will not be overridden.